b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   Affordable Care Act: Improvements Are\n                 Needed to Strengthen Systems Development\n                 Controls for the Premium Tax Credit Project\n\n\n\n                                      September 27, 2013\n\n                              Reference Number: 2013-23-119\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Redaction Legend:\n 2 = Risk Circumvention of Agency Regulation or Statute\n\n\n\n Phone Number / 202-622-6500\n E-mail Address / TIGTACommunications@tigta.treas.gov\n Website        / http://www.treasury.gov/tigta\n\x0c                                                HIGHLIGHTS\n\n\nAFFORDABLE CARE ACT:                                WHAT TIGTA FOUND\nIMPROVEMENTS ARE NEEDED TO\n                                                    The IRS has completed development and\nSTRENGTHEN SYSTEMS                                  testing for the PTC Computation Engine\nDEVELOPMENT CONTROLS FOR THE                        (PTC-CE) needed to calculate the APTC and the\nPREMIUM TAX CREDIT PROJECT                          Remainder Benchmark Household Contribution.\n                                                    In addition, the IRS developed a process to\n                                                    verify the accuracy of the PTC-CE calculations.\nHighlights                                          However, improvements are needed to ensure\n                                                    the long-term success of the PTC Project by\nFinal Report issued on                              adherence to systems development controls for:\nSeptember 27, 2013                                  (1) configuration and change management;\n                                                    (2) interagency test management process;\nHighlights of Reference Number: 2013-23-119         (3) security; and (4) fraud detection and\nto the Internal Revenue Service Chief               mitigation, in accordance with applicable\nTechnology Officer.                                 guidance.\n\nIMPACT ON TAXPAYERS                                 WHAT TIGTA RECOMMENDED\nIn March 2010, the President signed into law the    TIGTA made seven recommendations to the\nHealth Care and Education Reconciliation Act        IRS Chief Technology Officer. In management\xe2\x80\x99s\nof 2010 and the Patient Protection and              response to the report, the IRS agreed with six\nAffordable Care Act (ACA) (collectively referred    of the recommendations and plans to implement\nto as the ACA). The ACA law seeks to provide        corrective actions.\nmore Americans with access to affordable health\n                                                    However, the IRS disagreed with one of our\ncare. The Premium Tax Credit (PTC) Project\n                                                    recommendations to ensure that the\nfalls under the IRS ACA Program. Beginning\n                                                    Cybersecurity organization resolves or develops\nJanuary 2014, eligible taxpayers who purchase\n                                                    an action plan for the failed security tests.\nhealth insurance through an Exchange may\n                                                    TIGTA maintains that this recommendation\nqualify for and request a refundable tax credit\n                                                    should be addressed to verify that corrective\n(the PTC) to assist with paying their health\n                                                    measures for failed controls have been\ninsurance premium. The credit is claimed on the\n                                                    implemented.\ntaxpayer\xe2\x80\x99s Federal tax return at the end of each\ncoverage year. Because it is a refundable\ncredit, taxpayers who have little or no income\ntax liability can still benefit. The PTC can also\nbe paid in advance to a taxpayer\xe2\x80\x99s health\ninsurance provider to help cover the cost of\npremiums. This credit is referred to as the\nAdvanced Premium Tax Credit (APTC).\nWHY TIGTA DID THE AUDIT\nThe overall objective of this review was to\ndetermine if the IRS is adequately managing\nsystems development risks for the PTC Project.\nTIGTA evaluated the IRS\xe2\x80\x99s key management\ncontrols and processes for risk management,\nrequirements and change management, testing,\nsecurity, and fraud detection for the PTC\nProject, which is being developed in the IRS\xe2\x80\x99s\nnew Enterprise Life Cycle Iterative Path.\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 27, 2013\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Affordable Care Act: Improvements Are\n                             Needed to Strengthen Systems Development Controls for the\n                             Premium Tax Credit Project (Audit # 201320312)\n\n This report presents the results of our review of how the Premium Tax Credit (PTC) Project\n managed controls over systems development of the Premium Tax Credit Computation Engine.\n The overall objective of this review was to determine if the Internal Revenue Service (IRS) is\n adequately managing systems development risks for the PTC Project. Specifically, we evaluated\n the IRS\xe2\x80\x99s key management controls and processes over risk management, requirements and\n change management, testing, security, and fraud detection while the PTC Project followed the\n Enterprise Life Cycle Iterative Path systems development and testing process. This audit is\n included in the Treasury Inspector General for Tax Administration Fiscal Year 2013 Annual\n Audit Plan and addresses the following major management and performance challenges\n confronting the IRS: (1) Implementing the Affordable Care Act and Other Tax Law Changes\n and (2) Security for Taxpayer Data and Employees.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix VI.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have questions, please contact me or Alan Duncan, Assistant Inspector\n General for Audit (Security and Information Technology Services).\n\x0c                                         Affordable Care Act: Improvements Are\n                                       Needed to Strengthen Systems Development\n                                       Controls for the Premium Tax Credit Project\n\n\n\n\n                                              Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          The Internal Revenue Service Has Completed Development and Testing\n          for the Premium Tax Credit Computation Engine Needed for the\n          Advanced Premium Tax Credit .................................................................... Page 4\n          The Internal Revenue Service Developed a Process to Verify the\n          Accuracy of the Premium Tax Credit Computation Engine Calculations .... Page 4\n          Configuration and Change Management Controls Need Improvement to\n          Ensure Long-Term Success for the Premium Tax Credit Project................. Page 5\n                    Recommendations 1 and 2: .............................................. Page 8\n\n          Interagency Test Management Process Controls Need Improvement\n          to Ensure Long-Term Success of the Premium Tax Credit Project .............. Page 9\n                    Recommendation 3:........................................................ Page 10\n\n          Security Control Processes Need Improvement to Ensure Long-Term\n          Success of the Premium Tax Credit Project ................................................. Page 10\n                    Recommendations 4 and 5: .............................................. Page 13\n\n          A Fraud Mitigation Strategy Is Not in Place to Guide Affordable Care Act\n          Systems Development, Testing, Initial Deployment, and Long-Term\n          Operations ..................................................................................................... Page 14\n                    Recommendations 6 and 7: .............................................. Page 15\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 17\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 19\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 20\n\x0c                                Affordable Care Act: Improvements Are\n                              Needed to Strengthen Systems Development\n                              Controls for the Premium Tax Credit Project\n\n\nAppendix IV \xe2\x80\x93 Partial Process Diagram for Affordable Care Act 3.0,\nIncluding the Maximum Advanced Premium Tax Credit Calculation\nProcess .......................................................................................................... Page 21\nAppendix V \xe2\x80\x93 Glossary of Terms ................................................................. Page 24\nAppendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 28\n\x0c          Affordable Care Act: Improvements Are\n        Needed to Strengthen Systems Development\n        Controls for the Premium Tax Credit Project\n\n\n\n\n               Abbreviations\n\nACA     Affordable Care Act\nAPTC    Advanced Premium Tax Credit\nCE      Computation Engine\nCMS     Centers for Medicare and Medicaid Services\nCR      Change Request\nFPL     Federal Poverty Level\nHHS     Department of Health and Human Services\nIRM     Internal Revenue Manual\nIRS     Internal Revenue Service\nIT      Information Technology\nJBOSS   JavaBeans Open Source Software\nPMO     Program Management Office\nPTC     Premium Tax Credit\nRBHC    Remainder Benchmark Household Contribution\nRRP     Return Review Program\nRTVM    Requirements Traceability Verification Matrix\nTIGTA   Treasury Inspector General for Tax Administration\n\x0c                                    Affordable Care Act: Improvements Are\n                                  Needed to Strengthen Systems Development\n                                  Controls for the Premium Tax Credit Project\n\n\n\n\n                                              Background\n\nIn March 2010, Congress passed two pieces of\nlegislation that the President later signed into\n                                                         The ACA legislation seeks to\nlaw\xe2\x80\x94the Health Care and Education                       provide more Americans with\nReconciliation Act of 2010 and the Patient             access to affordable health care.\nProtection and Affordable Care Act (ACA).1\nCollectively, this legislation is referred to as the\nACA. The ACA legislation seeks to provide\nmore Americans with access to affordable\nhealth care by creating a new Health Insurance\nMarketplace, enforcing patient/consumer\nprotections, and providing Government\nsubsidies for people who cannot afford\ninsurance. The Marketplace simplifies an applicant\xe2\x80\x99s search for health coverage by providing\nmultiple options in one place and comparing plans based on price, benefits, quality, and other\nimportant features that help consumers make a choice. The Health Insurance Marketplace is\ncommonly referred to as \xe2\x80\x9cExchanges,\xe2\x80\x9d which is the terminology we will use in this report.\nIn order to enroll in health insurance coverage offered through an Exchange, taxpayers must\ncomplete an application and meet certain eligibility requirements defined by the ACA. For\nexample, they must be U.S. citizens or legal immigrants. Exchanges offer insurance plans by\nprivate companies, and taxpayers can access qualified health plan information online, via a call\ncenter, or in person. The qualified health plans cover the same core set of benefits called\n\xe2\x80\x9cessential health benefits,\xe2\x80\x9d and no plan can turn an applicant away or charge more because of a\npreexisting illness or medical condition. The Exchanges are intended to provide a place for\nAmericans to shop for health insurance in a competitive environment.\nThe ACA requires that enrollment for the Exchanges begin on October 1, 2013, and that the\nExchanges become operational and offer health coverage starting on January 1, 2014. Beginning\nJanuary 2014, eligible taxpayers who purchase health insurance through an Exchange may\nqualify for and request a refundable tax credit2 to assist with paying their health insurance\npremium. The credit is called the Premium Tax Credit (PTC) and is claimed on the taxpayer\xe2\x80\x99s\n\n\n\n1\n  Pub. L. No. 111-148, 124 Stat. 119 (2010) (codified as amended in scattered sections of the U.S. Code), as\namended by the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029. See\nAppendix V for a glossary of terms.\n2\n  Any tax credit that is refundable can be used to reduce a taxpayer\xe2\x80\x99s tax liability to zero. Any excess of the credit\nbeyond the tax liability can be refunded to the taxpayer.\n                                                                                                                Page 1\n\x0c                                     Affordable Care Act: Improvements Are\n                                   Needed to Strengthen Systems Development\n                                   Controls for the Premium Tax Credit Project\n\n\nFederal tax return at the end of each coverage year.3 Because the PTC is a refundable credit,\ntaxpayers who have little or no income tax liability can still benefit.4\nThe PTC can also be paid in advance to a taxpayer\xe2\x80\x99s health insurance provider to help cover the\ncost of premiums. This credit is referred to as the Advanced Premium Tax Credit (APTC). The\nAPTC will be available for individuals and families without minimal essential coverage, whose\nincomes are at least 100 percent and up to 400 percent of the Federal Poverty Level (FPL). The\nAPTC is paid monthly on behalf of the taxpayer to the health insurance provider to offset the\ncosts of the premiums. Payments will be issued by the Federal Management Services branch of\nthe Department of the Treasury. Starting in January 2015, taxpayers must include the amount of\nany APTC on their tax return and reconcile it to the allowable amount of PTC.\nThe Internal Revenue Service\xe2\x80\x99s (IRS) role with respect to the ACA is to implement and\nadminister the ACA provisions that have an impact on tax administration. The IRS\xe2\x80\x99s\nimplementation plan for ACA Exchange provisions includes providing information that will\nsupport the Department of Health and Human Services (HHS) and the Exchanges in three main\nareas: (1) eligibility and enrollment; (2) developing calculations for the maximum APTC; and\n(3) reconciling PTCs with reported taxable income. While the HHS is leading development\nefforts for ACA policy provisions, the legislation requires the IRS to build new computer\napplications, modify existing systems, create or revise business processes and fraud detection\nsystems, and deploy and test new interagency communication portals to support ACA operations.\nRecognizing the integral role that information technology plays in executing the IRS\xe2\x80\x99s portion of\nthe ACA legislation, the IRS created the ACA Information Technology (IT) Program\nManagement Office (ACA PMO) to ensure a dedicated focus on fulfilling ACA requirements.\nWithin the ACA PMO are various project offices that focus on specific areas of ACA\ndevelopment. The PTC Project includes all PTC processes related to the development of the\nPTC Computation Engine (PTC-CE), and the IT Implementation and Testing organization\nverifies that the requirements and design for all PTC systems have been adequately tested and\ncorrectly implemented. The ACA PMO has segmented implementation of the ACA into various\nreleases. ACA Release 3.0 (ACA 3.0) focuses on the Eligibility and Enrollment process area.\nThe IRS\xe2\x80\x99s overall objective for the PTC Project as part of ACA 3.0 is to receive requests from\nExchanges, calculate maximum monthly APTCs and Remainder Benchmark Household\nContributions (RBHC), and return the responses to the Exchanges via the HHS Hub. Within the\nPTC Project, the PTC-CE will calculate the maximum amount of APTC that a recipient is\nallowed in advance of tax filing and the resulting RBHC.\nThe IRS\xe2\x80\x99s calculation of the maximum allowable amount of the APTC is initiated with a request\nfrom an Exchange to the IRS PTC-CE. In the request, the Exchange passes four inputs to the\n\n\n3\n    The period that the taxpayer received coverage from a qualified health plan.\n4\n    A refundable credit can be claimed even if the taxpayer does not owe any tax during the coverage year.\n                                                                                                             Page 2\n\x0c                            Affordable Care Act: Improvements Are\n                          Needed to Strengthen Systems Development\n                          Controls for the Premium Tax Credit Project\n\n\nIRS\xe2\x80\x99s PTC-CE: (1) household income; (2) coverage year; (3) income as a percentage of the\nFPL; and (4) the adjusted premium for the applicable Second Lowest Cost Silver Plan. The\nExchange receives two outputs from the IRS PTC-CE: (1) the maximum monthly APTC and\n(2) the RBHC. Appendix IV provides a partial process diagram for ACA 3.0, including the\nmaximum APTC calculation process.\nThe scope of our audit was limited to reviewing the PTC Project under ACA 3.0 activities. We\nconducted our review to determine if the IRS is adequately managing systems development risks\nfor the PTC Project, which is considered a major component of the ACA Program. This review\nwas performed at the ACA PMO in Lanham, Maryland, during the period November 2012\nthrough July 2013. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                       Page 3\n\x0c                             Affordable Care Act: Improvements Are\n                           Needed to Strengthen Systems Development\n                           Controls for the Premium Tax Credit Project\n\n\n\n\n                                Results of Review\n\nThe IRS has completed development and testing for the PTC-CE, which is needed to calculate\nthe APTC and the RBHC. To complete this project, the IRS also developed and implemented a\nprocess for verifying the accuracy of the PTC-CE calculations. However, improvements are\nneeded to ensure the long-term success for the PTC Project by adherence to systems\ndevelopment controls for: (1) configuration and change management; (2) interagency test\nmanagement process; (3) security; and (4) fraud detection and mitigation in accordance with\napplicable guidance.\n\nThe Internal Revenue Service Has Completed Development and\nTesting for the Premium Tax Credit Computation Engine Needed for\nthe Advanced Premium Tax Credit\nThe IRS has completed functional development and testing of the PTC-CE, which will calculate\nthe maximum APTC and the RBHC. This was accomplished by applying the IRS\xe2\x80\x99s new\nIterative Systems Development Life Cycle through a requirements discovery, planning, design,\ndevelopment, and testing process known as \xe2\x80\x9csprints.\xe2\x80\x9d The IT Implementation and Testing\norganization conducted a PTC system test over three sprints to verify (1) the calculation of\nthe maximum APTC and (2) the calculation of the RBHC. The IT Implementation and\nTesting organization\xe2\x80\x99s Consolidated Project-Level End-of-Test Completion Report, dated\nJanuary 7, 2013, states that, \xe2\x80\x9cthe results observed during the functional and regression testing\nefforts as well as during checkpoint reviews with business owners for PTC indicate the system\nsatisfies the approved business requirements.\xe2\x80\x9d\n\nThe Internal Revenue Service Developed a Process to Verify the\nAccuracy of the Premium Tax Credit Computation Engine\nCalculations\nOn April 15, 2013, the IRS provided an Excel spreadsheet that it used to manually calculate the\nPTC-CE outputs (Manual Calculator). The IRS compared the outputs from the Manual\nCalculator to the actual system results to validate the PTC-CE outputs. At the time of our\nreview, based on a judgmental sample of eight test cases, we were able to replicate the IRS\xe2\x80\x99s\nprocess for validating that the PTC-CE accurately calculated the maximum APTC and RBHC\n\n\n\n\n                                                                                          Page 4\n\x0c                                  Affordable Care Act: Improvements Are\n                                Needed to Strengthen Systems Development\n                                Controls for the Premium Tax Credit Project\n\n\namounts.5 To select the eight test cases, we judgmentally sampled four PTC requirements out of\na total of 35. We selected these four requirements because they are the requirements that directly\nrelate to the PTC-CE. Then, out of a total of 527 test cases related to the four requirements, we\njudgmentally sampled two functional test cases for each of the requirements, for a total of eight\ntest cases. All eight test cases contained the four PTC-CE input values as required to properly\ncalculate the maximum APTC and the RBHC. We ran the test case input values through the\nManual Calculator and documented the maximum APTC and RBHC results. We then compared\nthe manual results to the actual system results and they matched.\n        Overall Management\xe2\x80\x99s Response: The Chief Technology Officer stated in his\n        written management response to the draft report, \xe2\x80\x9cI was pleased to read your observation\n        acknowledging that our PTC-CE accurately calculated the maximum APTC.\xe2\x80\x9d\n        Office of Audit Comment: We have one point of clarification related to the above\n        statement. Our audit focused on systems development controls and testing processes\n        developed by the IRS. Our review did not verify operational accuracy of the PTC-CE\n        beyond the test environment that we considered. Specifically, during this review, the\n        audit team replicated the IRS\xe2\x80\x99s verification process in a judgmental sample of eight test\n        cases. Our sample considered specific test cases that included requirements and\n        conditions being tested by the IRS during the time frame of our review. However, the\n        audit scope did not include all functional test cases planned or completed by the IRS with\n        the development of the PTC-CE. Further, verification of results for a judgmental sample\n        of test cases is a nonstatistical sample and the results cannot be applied to the overall\n        testing or system development processes.\n\nConfiguration and Change Management Controls Need Improvement\nto Ensure Long-Term Success for the Premium Tax Credit Project\n\nConfiguration management controls were not consistently followed\nThe purpose of configuration management controls is to establish and maintain the integrity of\nwork products, including testing documentation, throughout their life cycle.6 Configuration\nmanagement controls are also needed to ensure that changes are authorized, controlled, and\ntracked for project documentation, hardware, and software. It is important that the IRS creates\ntest cases to specify and document whether systems requirements and conditions are tested to\nvalidate that each system functions as intended.7 Documentation for each test case should\n\n5\n  Our audit did not consider the completeness of IRS\xe2\x80\x99s total population of functional test cases related to the\nPTC-CE. A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the\npopulation.\n6\n  The ACA Program Configuration Management Plan, in accordance with Internal Revenue Manual (IRM) 2.27.1,\nConfiguration Management (Jan. 2010), establishes configuration management policies, processes, and procedures.\n7\n  IRM 2.6.1, Product Assurance, Test, Assurance, and Documentation Standards and Procedures (Nov. 2010).\n                                                                                                        Page 5\n\x0c                              Affordable Care Act: Improvements Are\n                            Needed to Strengthen Systems Development\n                            Controls for the Premium Tax Credit Project\n\n\ninclude the requirements being tested to help ensure that each requirement is included in a test\ncase and properly tested.\nIn order for the IRS to calculate the maximum APTC amounts that it will provide to the\nExchanges, a computation will be performed by the IRS based on four inputs, including the\napplicant\xe2\x80\x99s income as a percentage of the FPL. The FPL input value is one of the four inputs that\ndetermine the maximum APTC amount that an applicant can receive when applying for a tax\ncredit under the ACA legislation.\nConfiguration management controls were not followed with two test cases for the software code\nrelated to the FPL percentage requirement. IT Implementation and Testing organization\nmanagement informed us that our audit prompted them to discover that the original Test\nCase 128 and its run history were inadvertently overwritten when updates were made to the test\ncase after it was not properly controlled in the IT Implementation and Testing organization\xe2\x80\x99s test\ncase repository. As a result, Test Case 128 and its run history were lost. Test Case 128 was later\nre-executed after updates were made to test the FPL software code change. Management also\ndiscovered that Test Case 130 was initially developed and executed with an outdated input data\nfile, which necessitated that the test case be re-executed.\nBased on our observation, we believe that if this control weakness had not been addressed prior\nto the implementation of the PTC-CE, the IRS would have tested this critical system requirement\nusing incorrect input data. Further, this approach could have resulted in the PTC-CE incorrectly\ncalculating the maximum APTC for applicants. This condition in turn could result in improper\ntax payments. Moreover, if test case documentation is not adequately controlled during systems\ndevelopment, the IRS may not have sufficient assurance that all mission-critical APTC\nrequirements are adequately tested and that the PTC-CE system functions as intended.\nManagement Action: The IT Implementation and Testing organization stated that it is taking\nboth short-term and long-term management action by identifying process improvements to make.\nFor example, in the short term, it will change how input data files and test cases are stored in its\nrepository and will add a date to the test case file names to help avoid overwriting a previously\nexecuted test case. It will also enhance testing peer reviews to (1) verify that the current input\ndata file is stored in the main folder and that test cases include the current input data file and\n(2) check the run history of the test cases to ensure that they have not been overwritten. In the\nlong term, it will use a test case tool for test case management that will provide version control\nover the test cases.\n\n\n\n\n                                                                                             Page 6\n\x0c                                 Affordable Care Act: Improvements Are\n                               Needed to Strengthen Systems Development\n                               Controls for the Premium Tax Credit Project\n\n\nChange management controls need improvement\nThe IRS requires that a change request (CR) be prepared and approved to change baseline\nrequirements.8 According to the ACA Program Requirements Plan, requirements changes start\nwith the initiation of a CR, which is the medium for requesting approval to change a baselined\nrequirement. Once a CR is developed, it should be reviewed and dispositioned9 by the\nappropriate Change Control Board.10 Test cases are created to specify and document the\nconditions to be tested and to validate that a system functions as intended.11 The test case should\ninclude the requirement(s) being tested to ensure that each requirement is included in a test case\nand properly tested to ensure that the system functions as intended. The Requirements\nTraceability Verification Matrix (RTVM) is an important management tool that the IRS relies on\nto ensure that all PTC requirements are included in test cases and adequately tested.\nThere were a total of 10 PTC CRs. Of these, we identified two CRs (PTC CR06 and PTC CR07)\nthat modified requirements to the PTC-CE software code.12 Details for these requirements are\nprovided in Figure 1.\n                 Figure 1: Details Regarding CRs PTC CR06 and PTC CR07\n               Changed\t\n    PTC\t     Requirement\t       Changed\t\n    CR\t#\t      Number\t      Requirement\tName\t                Changed\tRequirement\tDescription\t\n    **2**\t     ***2***      ********2********      ************************2*********************\n    **2**\t                  *********2*****        ************************2*******************\n                                                   ************************2********.\n    **2**\t     ***2***      ********2********      ************************2*********************\n    **2**\t                  *********2*****        ************************2*******************\n                            *********2*****        ************************2********.\n    **2**\t     ***2***      ********2********      ************************2*********************\n    **2**\t                                         ************************2*******************\n                                                   ************************2*********************\n                                                   ****************************2*****************\n                                                   ************2******************\nSource: CR numbers PTC CR06 and PTC CR07.\n\n\n\n8\n  The ACA Program Configuration Management Plan, in accordance with IRM 2.27.1 (Jan. 2010), requires that a\nCR be prepared and approved to change baseline requirements.\n9\n  According to the ACA PMO Configuration Management Plan, dispositioned is defined as to approve, conditionally\napprove, defer, disapprove, elevate, or remand a CR by the appropriate Change Control Board.\n10\n   A CR is reviewed and first dispositioned by the PTC Project Change Control Board. If the change exceeds the\ndisposition approval authority for the Project Change Control Board, then the change will be reviewed and\ndispositioned by the ACA PMO Change Control Board.\n11\n   IRM 2.6.1, Product Assurance, Test, Assurance, and Documentation Standards and Procedures (Nov. 2010).\n12\n   The FPL value is one of the four inputs for calculating the maximum APTC amount.\n                                                                                                       Page 7\n\x0c                              Affordable Care Act: Improvements Are\n                            Needed to Strengthen Systems Development\n                            Controls for the Premium Tax Credit Project\n\n\nAlthough the PTC Project Team prepared PTC CR06 and PTC CR07 for these two changed\nbaselined requirements, these specific CRs did not include the affected requirement numbers or\ndescriptions, which would have facilitated the traceability of requirements and test cases to the\nRTVM. PTC Project management explained that these CRs did not include the affected\nrequirement numbers or descriptions because the CR template and the Change Request Tracking\nSystem do not include requirement number and description fields.\nWe believe that it is important to include the affected requirements in the CRs to ensure adequate\ntraceability of requirements and test cases to the RTVM. This is particularly important to ensure\nthat requirements are included in test cases and adequately tested. Without traceability from\nCRs, to requirements, and then to the RTVM, the IRS may not have the ability to verify that the\nchanges to the software code were successfully tested. As a result, the PTC-CE could possibly\ncalculate the maximum APTC incorrectly, which could potentially result in inaccurate maximum\nAPTC amounts for individual applicants. This condition in turn could result in improper tax\npayments. Further, the IRS may not have complete assurance that all mission-critical APTC\nrequirements are adequately tested to ensure that the ACA system functions as intended.\nManagement Action 2: Based on our discussions of this finding with the IRS, the PTC Project\nmanagement team agreed to take immediate action by updating PTC CR06 and PTC CR07 to\ninclude the affected requirement numbers and to facilitate traceability from the CRs to the\nrequirements and then to the RTVM.\n\nRecommendations\nRecommendation 1: The Chief Technology Officer should ensure that testing peer review\nguidance and other applicable guidelines are updated and that a test case management tool is\nused to ensure that APTC test case input data files, test cases, and test case run histories are\nproperly controlled.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       stated that the ACA Strategic Test Management Plan and supporting procedures will be\n       updated to reflect additional testing peer review guidance and other applicable guidelines\n       to ensure that APTC test case input data files, test cases, and test case run histories are\n       properly controlled.\nRecommendation 2: The Chief Technology Officer should ensure that CR templates, tools,\nand applicable change management guidelines are updated to ensure that CRs include the\naffected requirement numbers and requirement descriptions for adequate traceability of\nrequirements and test cases to the RTVM.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       stated that the PTC Project team has taken intermediate action to update the PTC Change\n       Management Request template. They also will update their change management\n\n                                                                                            Page 8\n\x0c                              Affordable Care Act: Improvements Are\n                            Needed to Strengthen Systems Development\n                            Controls for the Premium Tax Credit Project\n\n\n       guidelines and templates to ensure that CRs include the affected requirement numbers\n       and descriptions for adequate traceability of requirements and test cases to the RTVM.\n\nInteragency Test Management Process Controls Need Improvement to\nEnsure Long-Term Success of the Premium Tax Credit Project\n\nInteragency test cases were not developed in accordance with test management\nprocedures\nThe IRS conducted interagency testing to verify integration, interface, performance, and\nreliability requirements for major design components of the system. Interagency testing should\ninclude validating data formats and transmission, validating software and hardware\ninteroperability, and using manufactured data to invoke user-like work streams in a simulated\nproduction environment. Staff in each agency is responsible for repairing defects in their\nrespective systems and keeping the systems operational.\nThe interagency test cases that we analyzed contained user scenarios that were jointly developed\nby the Centers for Medicare and Medicaid Services (CMS) and the IRS. The test cases we\nconsidered were developed to validate the critical business processes for inbound requests from\nthe CMS and outbound responses from the IRS. For example, a test case could require the\nsubmission of a single PTC request from the CMS Federal Exchange, ensure that the correct\nresults are generated on the IRS systems, and verify those results are correctly returned and\npresented at the CMS Federal Exchange.\nWe observed that the IT Implementation and Testing organization personnel did not consistently\nfollow appropriate test management procedures. Internal Revenue Manual (IRM) 2.6.1 requires\nthat test cases be developed to support requirements testing. Test cases must specify and\ndocument the conditions to be tested and validate that system functions meet customer\nrequirements as translated into a documented functional design. Test cases should also include\nthe requirements being tested to ensure that each requirement is properly tested. During our\nreview, the IRS stated that test cases are mapped to requirements in the requirements traceability\nmatrix to ensure traceability. However, we reviewed five interagency test cases provided by the\nIT Implementation and Testing organization and found that they did not contain all key\nrequirements that must be tested to verify system capabilities.\nThe IT Implementation and Testing organization staff explained that testing with another Federal\nagency, including the HHS, involves new processes, so everyone is learning as the work\nprogresses with ACA systems development. Further, they explained that missing requirements\nwere not included in the test cases because of an IRS decision to restrict certain data during the\ntest case development process from the CMS.\nHowever, if requirement numbers and descriptions are not included in test cases, traceability\nbetween requirements, test cases, and test results may not be accurate or complete. Based on our\n\n                                                                                           Page 9\n\x0c                                    Affordable Care Act: Improvements Are\n                                  Needed to Strengthen Systems Development\n                                  Controls for the Premium Tax Credit Project\n\n\nreview, we concluded that the IRS has not applied established systems development controls to\nverify that the HHS Hub and the IRS portal for ACA effectively transfer data13 as needed by the\nIRS for calculating the maximum APTC.\n\nRecommendation\nRecommendation 3: The Chief Technology Officer should update test management\nprocedures to include additional controls and processes to document how traceability between\nrequirements, test cases, and test results will be achieved for interagency testing.\n           Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n           stated that the ACA Strategic Test Management plan will be updated to formally\n           document how traceability between requirements, test cases, and test results are achieved\n           for testing with external entities.\n\nSecurity Control Processes Need Improvement to Ensure Long-Term\nSuccess of the Premium Tax Credit Project\nThe IT Cybersecurity organization has contracted for security-related services, including ACA\nsystem testing support. The contract recognizes that the ACA impacts the IRS and the HHS,\nalong with other Federal and State agencies. It also recognizes that there are new processes,\nfunctions, and information technology capabilities required at both the management and\ntechnical levels, including the implementation of complex technical and business changes in\nparallel work streams. The ACA system testing support provided through this contract reflects\nan IRS decision that contractor resources and expertise are needed to implement these\ncapabilities and to manage the design, development, testing, deployment, integration, and\nmaintenance of the associated systems.\n\nFailed security controls identified by security control assessment testing require\ncorrective actions prior to system implementation\nThe ACA System Security Plan identified 12 security controls that were only partially\nimplemented during the APTC testing process that we reviewed. As a result, during the Security\nControl Assessment, some critical ACA infrastructure components included in the 12 security\ncontrols failed because they did not contain the appropriate baseline configurations and\nmandatory configuration settings as required by the National Institute of Standards and\nTechnology and IRM guidelines. *******************2***************************\n***********************************2******************************************\n***********************************2******************************************\n*********2****\n\n13\n     The HHS Hub is connected to IRS systems through the IRS\xe2\x80\x99s Transactional Portal Environment.\n                                                                                                   Page 10\n\x0c                              Affordable Care Act: Improvements Are\n                            Needed to Strengthen Systems Development\n                            Controls for the Premium Tax Credit Project\n\n\n   \xef\x82\xb7   ******************************2****************************.\n   \xef\x82\xb7   ******************************2*************************************\n       ******************2*********.\n   \xef\x82\xb7   ******************************2************************************\n       ***************2****.\n   \xef\x82\xb7   ****************2****************.\n   \xef\x82\xb7   **************2*********************************.\nMany of the vulnerabilities in information systems can be traced to software flaws and\nmisconfigurations of system components. During our observations of security testing for the\nPTC Project, IT Cybersecurity organization management ensured that the tests were conducted\nin accordance with the National Institute of Standards and Technology and IRM guidelines.\nHowever, the configuration baselines and configuration settings for the security controls were\nnot adequately tested as discussed previously. We requested additional information on the\ncorrective actions for the failed test controls. However, IT Cybersecurity organization\nmanagement could not provide documentation to verify the corrective measures during our audit\nfieldwork. As a result, we are concerned that known risks associated with component\nmisconfigurations might not have been mitigated for the PTC Project.\n\nChange management guidelines were not consistently followed when baseline\nsecurity requirements were withdrawn from the PTC Project\nThe ACA Program Configuration Management Plan, in accordance with IRM guidelines, also\nrequires that a CR be prepared and approved to change baseline requirements. According to the\nACA Program Requirements Plan, requirement changes start with the initiation of a CR and a\nchange impact assessment to determine the potential impact of changed baselined requirements\nprior to approving and implementing the CR. Once a CR is developed, it should be reviewed\nand dispositioned by the appropriate Change Control Board.\nDuring our review, we observed instances where change management guidelines were not\nfollowed to withdraw approved baseline security requirements from the PTC Project. For\ninstance, the CR and impact assessment prepared to withdraw specific security requirements\nincluded only one of the seven baseline requirements removed from the PTC Project.\nThis specific CR removed the following security requirement from the PTC Project:\n   \xef\x82\xb7   ****************************************2*************************\n       **********************2*****************.\nThe security manager stated that this requirement was removed because the PTC Project does not\nhave any application-level end users and that logical access to the application is provided by the\ninfrastructure.\n                                                                                          Page 11\n\x0c                             Affordable Care Act: Improvements Are\n                           Needed to Strengthen Systems Development\n                           Controls for the Premium Tax Credit Project\n\n\nHowever, the CR did not include the following six security requirements that were withdrawn\nfrom the PTC Project:\n       \xef\x82\xb7   ***********************************2*******************************\n           ***********************************2******************************\n           ***********************************2******************************.\n       \xef\x82\xb7   ***********************************2*******************************\n           ***********************************2******************************\n           ***********************************2******************************\n           *************************2******************.\n       \xef\x82\xb7   ***********************************2*******************************\n           ***********************************2******************************\n           *************************2******************.\n       \xef\x82\xb7   ***********************************2*******************************\n           ***********************************2******************************\n           ***********************************2******************************\n           *************************2******************.\n       \xef\x82\xb7   ***********************************2*******************************\n           ***********************************2******************************\n           ***********************************2******************************\n           *************************2****************************************\n           **********2************.\n       \xef\x82\xb7   ***********************************2*******************************\n           ***********************************2******************************\n           *************************2******************.\nDuring our review, IT Cybersecurity organization management stated that they did not have\naccess to the Change Request Tracking System tool because the tool was maintained at the ACA\nProgram level. Without this access, IT Cybersecurity organization staff explained that they were\nunable to ensure that the CRs were approved and processed. Due to this lack of transparency for\nthe PTC change management process, IT Cybersecurity organization staff was unaware of when\nfinal changes to the baseline security requirements were implemented. As a result, the IRS may\nbe unable to determine the potential impact of changed requirements on the security controls for\nthe PTC-CE, which could negatively impact functionality and delay successful deployment of\nthe PTC Project.\n\n\n\n\n                                                                                        Page 12\n\x0c                              Affordable Care Act: Improvements Are\n                            Needed to Strengthen Systems Development\n                            Controls for the Premium Tax Credit Project\n\n\nRecommendations\nRecommendation 4: The Chief Technology Officer should ensure that the IT Cybersecurity\norganization resolves or develops an action plan with specific corrective actions and time periods\nfor the failed security tests as part of the ACA Security Assessment and Authorization.\n       Management\xe2\x80\x99s Response: The IRS disagreed with this recommendation. The IRS\n       stated that it already does this process and it has documented policies in place in its IRM\n       that address this recommendation, and that IRM 10.8.1.3.5.1 requires weaknesses\n       identified during the Security Assessment and Authorization to be documented in a Plan\n       of Actions and Milestones to include planned, implemented, and evaluated remedial\n       actions to correct any deficiencies.\n       Office of Audit Comment: We acknowledge that the IRS has a process in place to\n       resolve or develop an action plan with specific corrective actions and time periods for\n       failed security tests as part of the ACA Security Assessment and Authorization.\n       However, we discussed this finding and recommendation with the PTC Project team and\n       IT Cybersecurity organization officials during our audit closing conference. In the\n       written management response to the draft report, the IRS did not address the audit\n       conditions and finding that prompted our recommendation. TIGTA maintains that this\n       recommendation should be addressed because during audit fieldwork, IT Cybersecurity\n       organization officials could not provide documentation to verify the corrective measures\n       for the failed test controls. By addressing this recommendation, the IRS could better\n       ensure that known risks associated with component misconfigurations are consistently\n       addressed for the PTC Project during the ACA Security Assessment and Authorization\n       process. Moreover, TIGTA maintains that this recommendation requires that, going\n       forward, the IT Cybersecurity organization follow its process to resolve or develop an\n       action plan with specific corrective actions and time periods for the failed security tests\n       that we reviewed as part of the ACA Security Assessment and Authorization. Such a\n       resolution or an action plan with the corrective actions is needed to ensure that the IRS is\n       addressing the vulnerabilities in information systems that can be traced to software flaws\n       and misconfigurations of system components for the PTC Project and across other\n       information technology projects being developed by the ACA Program.\nRecommendation 5: The Chief Technology Officer should ensure that CRs and impact\nassessments are accurately prepared and processed as required by change management\nguidelines.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       stated that steps have been taken to provide IT Cybersecurity organization staff with\n       access to the Change Request Tracking System so they are aware when final changes to\n       the baseline security requirements have been implemented.\n\n\n                                                                                           Page 13\n\x0c                                   Affordable Care Act: Improvements Are\n                                 Needed to Strengthen Systems Development\n                                 Controls for the Premium Tax Credit Project\n\n\nA Fraud Mitigation Strategy Is Not in Place to Guide Affordable Care\nAct Systems Development, Testing, Initial Deployment, and\nLong-Term Operations\nThe IRS\xe2\x80\x99s current IRMs do not address management\xe2\x80\x99s responsibility for managing, monitoring,\nand mitigating fraud risk with the development of new information technology systems for the\nACA. Further, the ACA Program has not yet completed a fraud mitigation strategy to guide\nongoing systems development. It is important for the IRS to thoroughly consider fraud threats\nand risks that could impact new ACA systems. For example, tax fraud is often defined as an\nintentional wrongdoing on the part of a taxpayer, with the specific purpose of evading a tax\nknown or believed to be owed. Tax fraud requires both a tax due and owing and fraudulent\nintent. The Improper Payment Information Act of 200214 requires Federal agencies, including\nthe IRS, to estimate and reduce the amount of improper payments made each year. Robust fraud\nmitigation controls and new systems are required to reduce improper and erroneous payments\nand fraud risk.\nIRM 25.1.1, Fraud Handbook, Overview/Definitions, provides an overview of fraud, defines the\nelements of fraud, and is a comprehensive guide for IRS employees in the recognition and\ndevelopment of potential fraud issues. IRM 25.1.2, Recognizing and Developing Fraud,\nprovides direction to IRS employees on how to recognize the signs of fraud and the development\nprocess used to prove fraud. However, neither of these IRMs addresses management\xe2\x80\x99s\nresponsibility for developing new systems to combat fraud risks.\nA pre-decisional briefing document prepared by the ACA PMO in response to our audit outlined\nthe IRS\xe2\x80\x99s ongoing fraud mitigation approach for its new ACA systems and applications.\nHowever, the ACA program management team acknowledged that this approach is not part of an\nestablished fraud mitigation strategy for ACA systems. Such a strategy is needed to guide\nsystems development including fraud controls for new ACA systems.\nDuring this audit, the IRS also informed us that two new systems, the Return Review Program\n(RRP)15 System and the ACA Validation Service System, are under development and will\naddress ACA tax refund fraud risk. However, until these new systems are successfully\ndeveloped and tested, TIGTA remains concerned that the IRS\xe2\x80\x99s existing fraud detection system16\n\n\n\n\n14\n   Pub. L. No. 107-300, 116 Stat. 2350.\n15\n   The RRP is the key automated component of the IRS\xe2\x80\x99s pre-refund initiative and will implement the IRS\xe2\x80\x99s new\nbusiness model for a coordinated criminal and civil tax noncompliance approach to prevent, detect, and resolve tax\nrefund fraud.\n16\n   The IRS\xe2\x80\x99s current fraud detection system is the Electronic Fraud Detection System.\n                                                                                                          Page 14\n\x0c                                Affordable Care Act: Improvements Are\n                              Needed to Strengthen Systems Development\n                              Controls for the Premium Tax Credit Project\n\n\nmay not be capable of identifying ACA refund fraud or schemes prior to the issuance of tax\nreturn refunds. Further, our recent audit17 of the RRP system reported the following:\n     \xef\x82\xb7   Roles for program-level governance were not yet established for the RRP and the key\n         role of system integrator was not documented or clearly communicated.\n     \xef\x82\xb7   RRP Prototype Management Plans and critical systems development products were not\n         completed or approved by major stakeholders before significant resources were\n         committed to prototyping activities.\n     \xef\x82\xb7   Uncertainty about the systems development path for the RRP and the absence of\n         Enterprise Life Cycle guidance for prototypes hindered initial systems development\n         efforts.\n     \xef\x82\xb7   Alternative commercial software products were not fully considered prior to selecting\n         technology solutions for the RRP system.\n     \xef\x82\xb7   The IRS reported that the long-term limitations of its existing fraud detection system\n         include its inability to keep pace with increasing levels of fraud and to serve the\n         organization\xe2\x80\x99s evolving compliance needs.\nWithout a fraud detection and mitigation strategy, the ACA Program may not have assurances\nthat ACA systems adequately address emerging fraud control requirements. Further, without\nadequate fraud mitigation controls, the IRS may be unable to identify ACA refund fraud or\nschemes prior to the issuance of erroneous refunds.\n\nRecommendations\nRecommendation 6: The Chief Technology Officer should ensure that the IRM is updated to\nprovide specific guidance on how IRS management is to effectively manage, monitor, and\nmitigate fraud risk for information technology systems.\n         Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n         stated that the appropriate IRM sections will be updated to ensure that fraud risk is\n         considered in developing requirements and systems capabilities as part of every\n         legislative implementation project.\nRecommendation 7: The Chief Technology Officer should ensure that the ACA Program\ncompletes a comprehensive fraud mitigation strategy to guide ACA systems development,\ntesting, and implementation.\n\n\n\n17\n  TIGTA, Ref. No. 2013-20-063, Improvements Are Needed to Ensure Successful Development and System\nIntegration for the Return Review Program (Jul. 2013).\n                                                                                                 Page 15\n\x0c                     Affordable Care Act: Improvements Are\n                   Needed to Strengthen Systems Development\n                   Controls for the Premium Tax Credit Project\n\n\nManagement\xe2\x80\x99s Response: The IRS agreed with this recommendation and stated that\nit will be implemented for every ACA release. The IRS stated that in the development of\nACA 3.0, which is scheduled to go live in October 2013, they have already determined\nthere is no tax fraud risk with the APTC calculator or the Income and Family Size\nVerification process.\n\n\n\n\n                                                                               Page 16\n\x0c                                      Affordable Care Act: Improvements Are\n                                    Needed to Strengthen Systems Development\n                                    Controls for the Premium Tax Credit Project\n\n\n                                                                                                      Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nOur overall objective was to determine if the IRS is adequately managing systems development\nrisks for the PTC1 Project under the ACA Program. To accomplish our objective, we:\nI.         Determined whether the PTC Project has established key systems development,\n           management and control processes over risk management, requirements and change\n           management, and testing while following the Enterprise Life Cycle Iterative Path\n           process.\n           A. Determined whether PTC Project risks were properly identified, monitored, and\n              mitigated in accordance with applicable guidance.\n           B. Determined whether risks were being adequately managed regarding requirements\n              and change management in accordance with applicable guidance.\n           C. Determined whether risks have been adequately managed regarding the PTC Project\n              system testing activities in accordance with applicable guidance.\n                1. Determined the accuracy of the PTC-CE. We judgmentally sampled2 four PTC\n                   requirements from a total of 35. We selected these four requirements because\n                   they are the requirements that directly relate to the PTC-CE. We then selected\n                   two functional test cases for each of the four requirements, for a total of eight test\n                   cases.\n                2. Reviewed the adequacy of the Interagency Testing for the PTC Project.\nII.        Determined whether security controls for the PTC Project were designed and properly\n           tested to protect taxpayer data in accordance with applicable guidance.\nIII.       Determined whether fraud detection controls were designed into the PTC system in\n           accordance with applicable guidance.\n           A. Interviewed PTC Project personnel about fraud detection controls for the PTC\n              Project. We obtained and reviewed supporting documentation.\n           B. Determined the PTC Project\xe2\x80\x99s strategy for building fraud detection controls into the\n              PTC system.\n\n\n\n1\n    See Appendix V for a glossary of terms.\n2\n    A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                               Page 17\n\x0c                             Affordable Care Act: Improvements Are\n                           Needed to Strengthen Systems Development\n                           Controls for the Premium Tax Credit Project\n\n\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: IRM and related IRS guidelines and the\nprocesses followed in the development of information technology projects using the Iterative\nPath as they apply to the ACA Program\xe2\x80\x99s PTC Project.\nWe evaluated these controls by conducting interviews with management and staff, making\nobservations of system development and testing activities, and reviewing relevant\ndocumentation. Documents reviewed include the PTC Project Management Plan, the ACA\nProgram Configuration Management Plan, and other documents that provided evidence of\nwhether the IRS is adequately managing systems development risks for the PTC Project.\n\n\n\n\n                                                                                         Page 18\n\x0c                            Affordable Care Act: Improvements Are\n                          Needed to Strengthen Systems Development\n                          Controls for the Premium Tax Credit Project\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nGwendolyn McGowan, Director, Systems Modernization and Applications Development\nSuzanne Westcott, Audit Manager, Systems Modernization and Applications Development\nKevin Liu, Audit Manager, Technical Assistance Group\nDavid Allen, Lead Auditor\nAndrea Barnes, Senior Auditor\nWallace Sims, Senior Auditor\nAllen Henry, Program Analyst\nLinda Nethery, Information Technology Specialist\nNicholas Reyes, Information Technology Specialist\n\n\n\n\n                                                                                     Page 19\n\x0c                            Affordable Care Act: Improvements Are\n                          Needed to Strengthen Systems Development\n                          Controls for the Premium Tax Credit Project\n\n\n                                                                           Appendix III\n\n                         Report Distribution List\n\nActing Commissioner\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nOffice of the Deputy Commissioner for Services and Enforcement SE\nDeputy Chief Information Officer for Operations OS:CTO\nActing Director, Affordable Care Act Office SE:ACA\nDirector, Privacy, Governmental Liaison, and Disclosure OS:P\nAssociate Chief Information Officer, Affordable Care Act \xe2\x80\x93 Program Management Office\nOS:CTO:ACA\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Deputy Commissioner for Services and Enforcement SE\n       Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                   Page 20\n\x0c                             Affordable Care Act: Improvements Are\n                           Needed to Strengthen Systems Development\n                           Controls for the Premium Tax Credit Project\n\n\n                                                                               Appendix IV\n\n Partial Process Diagram for Affordable Care Act 3.0,\n   Including the Maximum Advanced Premium Tax\n              Credit Calculation Process\n\nThe following figures provide a partial process diagram for ACA 3.0, including the maximum\nAPTC calculation process.\nTIGTA developed this diagram based on our review and analysis of various documents provided\nby the IRS, and IRS and HHS comments on a draft version of this diagram. Specifically, this\nincludes the following documents:\n   \xef\x82\xb7   IRS ACA Release 3 End-to-End Overview (dated January 6, 2013).\n   \xef\x82\xb7   ACA orientation for TIGTA (February 7, 2013).\n   \xef\x82\xb7   ACA Program, Baseline Requirements, Solution Architecture, and IT Roadmap,\n       Version 2.2 (March 23, 2012).\n   \xef\x82\xb7   ACA Release 3.0 System Security Plan (dated April 15, 2013).\n   \xef\x82\xb7   IRS comments on a draft version of this diagram (dated June 19, 2013; June 20, 2013;\n       June 21, 2013; and July 9, 2013).\n   \xef\x82\xb7   HHS comments on a draft version of this diagram (dated July 2, 2013).\nAdditional acronyms shown in this diagram but not used elsewhere in the report include the\nfollowing:\nAGI = Adjusted Gross Income.\nDHS = Department of Homeland Security.\nFMS = Financial Management Service (a bureau of the Department of the Treasury).\nID = Identification.\nIFSV = Income and Family Size Verification.\nQHP = Qualified Health Plan.\nSSA = Social Security Administration.\nSSN = Social Security Number.\nTPE = Transactional Portal Environment.\n\n                                                                                       Page 21\n\x0c  Affordable Care Act: Improvements Are\nNeeded to Strengthen Systems Development\nControls for the Premium Tax Credit Project\n\n\n\n\n                                              Page 22\n\x0c                                Affordable Care Act: Improvements Are\n                              Needed to Strengthen Systems Development\n                              Controls for the Premium Tax Credit Project\n\n\n\n\nSource: TIGTA diagram based on information provided by the IRS and HHS.\n\n                                                                            Page 23\n\x0c                            Affordable Care Act: Improvements Are\n                          Needed to Strengthen Systems Development\n                          Controls for the Premium Tax Credit Project\n\n\n                                                                                   Appendix V\n\n                             Glossary of Terms\n\nAdjusted Gross Income    The total of an individual\xe2\x80\x99s wages, salaries, interest, dividends, etc.,\n                         minus allowable deductions.\nAffordable Care Act      In March 2010, the President signed into law the Patient Protection\n(ACA)                    and Affordable Care Act to provide more Americans with access to\n                         affordable health care by January 1, 2014.\nAdvanced Premium         Paid in advance to a taxpayer\xe2\x80\x99s insurance company to help cover the\nTax Credit               cost of premiums.\nAuditable Events         Actions taken on IRS systems that shall be captured and recorded for\n                         subsequent audit review based on the impact level of the system\n                         (high, moderate, or low) as determined by the guidelines in the\n                         National Institute of Standards and Technology Federal Information\n                         Processing Standards 199, Standards for Security Categorization of\n                         Federal Information and Information Systems. IRM 10.8.3 contains\n                         lists of auditable events applicable to the systems categorized as high,\n                         moderate, or low based on the National Institute of Standards and\n                         Technology Federal Information Processing Standards 199.\nBaseline Configuration   A set of specifications for a system, or configuration item within a\n                         system, that has been formally reviewed and agreed on at a given\n                         point in time, and which can be changed only through change control\n                         procedures. The baseline configuration is used as a basis for future\n                         builds, releases, and/or changes.\nCenters for Medicare     A division of the HHS, the CMS provides health coverage for\nand Medicaid Services    100 million people through Medicare, Medicaid, and the Children\xe2\x80\x99s\n(CMS)                    Health Insurance Program.\nChange Management        The transition of a changed or new product through development to\n                         deployment into the current production environment with minimum\n                         disruption to users. This can occur in a number of ways including,\n                         but not limited to: (1) implementation of a change to a product\n                         baseline; (2) establishing a new product baseline; and (3) a change to\n                         a Service Level Agreement.\n\n\n\n                                                                                            Page 24\n\x0c                            Affordable Care Act: Improvements Are\n                          Needed to Strengthen Systems Development\n                          Controls for the Premium Tax Credit Project\n\n\n\nChange Request           The method for requesting approval to change a baselined product or\n                         other controlled item.\nConfiguration Settings   The set of parameters that can be changed in hardware, software,\n                         and/or firmware that affect the security posture and/or functionality\n                         of the information system.\nElectronic Fraud         An IRS automated compliance system designed to maximize fraud\nDetection System         detection at the time tax returns are filed to prevent the issuance of\n                         questionable refunds. The primary information system used to\n                         support the Criminal Investigation Questionable Refund Program.\nEnterprise Life Cycle    The Enterprise Life Cycle is the approach used by the IRS to manage\n                         and implement business change through information systems\n                         initiatives.\nExchange                 Exchanges are intended to provide a place for Americans to shop for\n                         health insurance in a competitive environment.\nFederal Poverty Level    Guidelines published and updated periodically in the Federal Register\n(FPL)                    by the Secretary of the HHS. The APTC will be available for\n                         individuals and families whose incomes are at least 100 percent and\n                         up to 400 percent of the FPL who do not have minimal essential\n                         coverage.\nHealth and Human         The U.S. Government\xe2\x80\x99s principal agency for protecting the health of\nServices                 all Americans and providing essential human services.\nHub                      Supports the exchanges by providing a single point where exchanges\n                         may access data from different sources, primarily Federal agencies.\nIncome and Family        Will verify income and family size for individuals requesting\nSize Verification        eligibility for an APTC for health insurance.\nInfrastructure           The fundamental structure of a system or organization. The basic,\n                         fundamental architecture of any system (electronic, mechanical,\n                         social, political, etc.) determines how it functions and how flexible it\n                         is to meet future requirements.\nIterative Systems        The Iterative Path is an adaptive development approach in which\nDevelopment Life         projects start with initial planning and end with deployment, with\nCycle                    repeated cycles of requirement discovery, development, and testing in\n                         between. It is a more flexible and adaptable process than traditional\n                         sequential development approaches.\n\n\n\n                                                                                           Page 25\n\x0c                           Affordable Care Act: Improvements Are\n                         Needed to Strengthen Systems Development\n                         Controls for the Premium Tax Credit Project\n\n\n\nJavaBeans Open          A platform for developing and deploying enterprise applications,\nSource Software         Web applications, and services and portals.\nLogical Access          The ability to interact with data through access control procedures\n                        such as identification, authentication, and authorization.\n\nLow Impact System       An information system in which all three security objectives (i.e.,\n                        confidentiality, integrity, and availability) are assigned a Federal\n                        Information Processing Standards 199 potential impact value of low.\nMinimum Essential       The type of coverage an individual needs to have to meet the\nCoverage                individual responsibility requirement under the ACA. This includes\n                        individual market policies, job-based coverage, Medicare, Medicaid,\n                        and certain other coverage.\nNational Institute of   A nonregulatory Federal agency within the Department of Commerce\nStandards and           responsible for developing standards and guidelines, including\nTechnology              minimum requirements, for providing adequate information security\n                        for all Federal Government agency operations and assets.\nOracle                  An object-relational database management system.\nPremium Tax Credit      A new refundable tax credit to help taxpayers and families afford\n                        health insurance coverage purchased through an Exchange.\nRemainder Benchmark     The household\xe2\x80\x99s contribution towards the monthly insurance\nHousehold               premium.\nContribution\nRequirement             A formalization of a need and the statement of a capability or\n                        condition that a system, subsystem, or system component must have\n                        or meet to satisfy a contract, standard, or specification.\nRequirements            A tool that documents requirements and establishes the traceable\nTraceability            relationships between the requirements to be tested and their\nVerification Matrix     associated test cases and test results.\nSecond Lowest Cost      Plans in the Marketplace are primarily separated into four health plan\nSilver Plan             categories (Bronze, Silver, Gold, or Platinum) based on the\n                        percentage the plan pays of the average overall cost of providing\n                        essential health benefits to members. The PTC is calculated using the\n                        Second Lowest Cost Silver Plan, regardless of what plan the taxpayer\n                        ultimately selects.\n\n\n\n\n                                                                                        Page 26\n\x0c                          Affordable Care Act: Improvements Are\n                        Needed to Strengthen Systems Development\n                        Controls for the Premium Tax Credit Project\n\n\n\nSprint                 A process that develops a piece of functionality of the system with\n                       repeated cycles of requirements discovery, planning, design,\n                       development, and testing. ACA projects conduct a series of\n                       \xe2\x80\x9csprints,\xe2\x80\x9d either sequentially or even in parallel, within each release.\n                       The goal of each sprint is to get a subset of the project\xe2\x80\x99s functionality\n                       to a \xe2\x80\x9cproduction-ready\xe2\x80\x9d state. At the end of the sprint, the\n                       functionality developed is fully tested (although it will not be put into\n                       production until a later date).\nTest Case              Created to specify and document the conditions to be tested and to\n                       validate that a system functions as intended.\nTransactional Portal   A portal environment to service ACA information system needs. The\nEnvironment            IRS uses the Transactional Portal Environment for mediating\n                       transaction requests between the Hub and the IRS.\nUNIX Policy Checker    A policy checking tool used to examine servers or mainframe systems\n                       and compare their operating system configuration settings to the IRS\n                       Cybersecurity policies or interim guidance.\nwebMethods             Provides a business process integration software for the enterprise,\n                       such as a platform, which is an underlying computer system on which\n                       application programs can run.\n\n\n\n\n                                                                                         Page 27\n\x0c           Affordable Care Act: Improvements Are\n         Needed to Strengthen Systems Development\n         Controls for the Premium Tax Credit Project\n\n\n                                                 Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                       Page 28\n\x0c  Affordable Care Act: Improvements Are\nNeeded to Strengthen Systems Development\nControls for the Premium Tax Credit Project\n\n\n\n\n                                              Page 29\n\x0c  Affordable Care Act: Improvements Are\nNeeded to Strengthen Systems Development\nControls for the Premium Tax Credit Project\n\n\n\n\n                                              Page 30\n\x0c  Affordable Care Act: Improvements Are\nNeeded to Strengthen Systems Development\nControls for the Premium Tax Credit Project\n\n\n\n\n                                              Page 31\n\x0c'